NAT hairpin in C/S mode configuration example
Network requirements
As shown in Figure 62, the internal FTP server at 192.168.1.4/24 provides services for internal and external users. The private network uses two public IP addresses 202.38.1.1 and 202.38.1.2.
Configure NAT hairpin in C/S mode to allow external and internal users to access the internal FTP server by using public IP address 202.38.1.2.
Figure 62: Network diagram
Requirements analysis
To allow external hosts to access the internal FTP server by using a public IP address, configure NAT Server on the interface connected to the external network.
To allow internal hosts to access the internal FTP server by using a public IP address, perform the following tasks:
Enable NAT hairpin on the interface connected to the internal network.
Configure outbound NAT on the interface where NAT Server is configured. The destination address is translated by matching the NAT Server. The source address is translated by matching the outbound NAT.
Configuration procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to be translated.
<Router> system-view [Router] acl basic 2000 [Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Router-acl-ipv4-basic-2000] quit
# Configure NAT Server on interface GigabitEthernet 1/0/2 to map the IP address of the FTP server to a public address, allowing external users to access the internal FTP server.
[Router] interface gigabitethernet 1/0/2 [Router-GigabitEthernet1/0/2] nat server protocol tcp global 202.38.1.2 inside 192.168.1.4 ftp
# Enable outbound NAT with Easy IP on interface GigabitEthernet 1/0/2 so that NAT translates the source addresses of the packets from internal hosts into the IP address of interface GigabitEthernet 1/0/2.
[Router-GigabitEthernet1/0/2] nat outbound 2000
# Enable NAT hairpin on interface GigabitEthernet 1/0/1.
[Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] nat hairpin enable
Verifying the configuration
# Verify that both internal and external hosts can access the internal FTP server through the public address. (Details not shown.)
# Display all NAT configuration and statistics.
[Router]display nat all NAT outbound information: Totally 1 NAT outbound rules. Interface: GigabitEthernet1/0/2 ACL: 2000 Address group ID: --- Port-preserved: N NO-PAT: N Reversible: N Config status: Active NAT internal server information: Totally 1 internal servers. Interface: GigabitEthernet1/0/2 Protocol: 6(TCP) Global IP/port: 202.38.1.2/21 Local IP/port : 192.168.1.4/21 Config status : Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT hairpinning: Totally 1 interfaces enabled with NAT hairpinning. Interface: GigabitEthernet1/0/1 Config status: Active NAT mapping behavior: Mapping mode : Address and Port-Dependent ACL : --- Config status: Active NAT ALG: DNS : Enabled FTP : Enabled H323 : Enabled ICMP-ERROR : Enabled ILS : Enabled MGCP : Enabled NBT : Enabled PPTP : Enabled RSH : Enabled RTSP : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled
# Display NAT session information generated when Host A accesses the FTP server.
[Router] display nat session verbose Initiator: Source IP/port: 192.168.1.2/1694 Destination IP/port: 202.38.1.2/21 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 Responder: Source IP/port: 192.168.1.4/21 Destination IP/port: 202.38.1.1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 State: TCP_ESTABLISHED Application: FTP Start time: 2012-08-15 14:53:29 TTL: 3597s Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1